Lucene search

Cloud FoundryCFOUNDRY:5A57744D33ED4E15F6FFCA55B8815699

HistoryMar 14, 2017 - 12:00 a.m.

USN-3193-1: Nettle vulnerability | Cloud Foundry

2017-03-1400:00:00

Cloud Foundry

www.cloudfoundry.org

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.004 Low

EPSS

Percentile

72.1%

JSON

Severity

Medium

Vendor

Canonical Ubuntu

Versions Affected

Canonical Ubuntu 14.04 LTS

Description

It was discovered that Nettle incorrectly mitigated certain timing side-channel attacks. A remote attacker could possibly use this flaw to recover private keys.

Affected Cloud Foundry Products and Versions

Severity is medium unless otherwise noted.

Cloud Foundry BOSH stemcells are vulnerable, including:
- 3151.x versions prior to 3151.11
- 3233.x versions prior to 3233.14
- 3263.x versions prior to 3263.20
- 3312.x versions prior to 3312.20
- 3363.x versions prior to 3363.9
All versions of Cloud Foundry cflinuxfs2 prior to v1.100.0

Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:

The Cloud Foundry team recommends upgrading to the following BOSH stemcells:
- Upgrade 3151.x versions to 3151.11 or later
- Upgrade 3233.x versions to 3233.14 or later
- Upgrade 3263.x versions to 3263.20 or later
- Upgrade 3312.x versions to 3312.20 or later
- Upgrade 3363.x versions to 3363.9 or later
The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 v1.100.0 or later versions